Project Management Institute

Strategic and operational risks and opportunities--how are they handled over time, in different project types


The purpose of this study is to investigate the contribution from project risk management to the achievement of project objectives. In a hierarchy of project objectives, strategic objectives will often be principally different from the operational. Operational objectives concern the project outputs/results and strategic objectives concern the project goal and purpose.

In this study, risks are categorized as risks to operational, long-term, or short-term strategic objectives. The study aims to find out whether the distribution in a project between these risk categories has any relation to other characteristics/distinctive features of the project. We also study how the project handles opportunities and threats, with the same aim.


Today, risk is considered a major factor influencing project success, and project risk management is an important activity in any capital project. Project risk management is also one of the nine knowledge areas in PMI's standard, A Guide to the Project Management Body of Knowledge (2004). Most maturity models include risk, including PMI's OPM3® (2003). And there will soon come a new standard from PMI on project risk management.

A risk is here defined as “an uncertain event or condition that, if it occurs, has a positive or negative effect on a project's objectives” (PMI, 2004). A characteristic of a risk is that it has both a consequence and a probability.

An uncertainty is here defined as “the difference between the amount of information required to perform the task and the amount of information already possessed by the organisation” (Galbraith, 1977). This definition is based on a subjective description of an individual's or an organization's need for more information, focusing on a given task they will perform.

In this context, both terms include both positive and negative possibilities.

A common term referring to both risks and uncertainties is needed, for instance when we refer to the total contents of the “risk registers” investigated here, which include both risks and uncertainties. We have here chosen to let that term be “risk” whenever we need a common term for risks and uncertainties. This has, for instance, also been done by Miller and Lessard (2001), and in practice also by PMI, which in the PMBOK® Guide did not define the term “uncertainty,” nor include it in its glossary or index (PMI, 2004).

Several authors in the field of risk or uncertainty management claim that opportunities are not well utilized, or not even identified, in projects (Hillson, 2002; Olsson, 2007). It is claimed that basically threats are seen as important to projects.

The challenge of reducing the effects of threats and increasing opportunities was studied closer by Olsson (2007). Through case studies, he investigated the actual handling of opportunities and threats in a larger number of projects, and his studies conclude that the risk management processes used will only give a very limited support for the management of opportunities. In a time perspective, projects will focus stronger on threats as they get closer to delivery or acceptance from the customer or project owner. This was implicitly said by Olsson (2007), when he made a distinction between “bid/sales phase” and “project execution.”

The relation between project and business units in the base organization may be crucial to how opportunities and threats are handled. While the project unit's responsibility is the defined deliveries, the business units are responsible for the business case. Naturally, the project unit will then focus on threats, and the business units on opportunities.

Here the closing of risks will be studied. This is, however only one way to handle risks. Reducing the probabilities and consequences of risks are other ways to mitigate risks. This will be studied closer later in this study, and will be the subject of a forthcoming research paper.

Addressing risks in an appropriate way is crucial in order to achieve project success, regarding both opportunities and threats. The severity of a risk will depend on its impact, that is, what it is a risk to, and how seriously it impacts this entity. A relevant categorization of risks should therefore be to ask what they are a risk to (Hillson, 2004). If we consider the different levels of project objectives, a number of authors have defined three levels: operational, short-term strategic (or tactical), and long-term strategic (or just strategic) objectives (Samset, 2003; Shenhar, Dvir, Levy, & Maltz, 2001).

Project success may be seen in principally three time perspectives and three stakeholder perspectives (Samset, 2003):

  1. The project (i.e., its “operator”) will have a “project internal” perspective, focusing on the project's deliverables, direct costs, and time schedules. This is typically seen in a very short time perspective.
  2. The customer's or user's perspective, focusing on the benefits from the project or the project's direct effects. This will necessarily be in a little longer time perspective than the project's perspective.
  3. A (financing) project owner will have a longer-term strategic view on the project, taking its long-term effects into consideration. This view will have the longest time perspective.

The three levels of project scopes or project objectives define a “project success hierarchy” that may also be used to define three risk levels or risk categories, then focusing on the level of project objectives the risk is addressing.

The typical project is concerned about its efficiency, about its short-term success (Samset, 2003), that is, keeping within time schedule, budget, and delivering according to specifications. Many authors (e.g., Atkinson, 1999) call this the “iron triangle” of projects. Some authors claim that mainly operational objectives are addressed by the projects, while both short-term and long-term strategic objectives are getting much less attention (Atkinson, 1999; de Wit, 1988; Jaafari, 2001). As with threats versus opportunities, we often see operational risks getting priority toward a delivery or acceptance milestone, as also indicated by the results of the survey by Pinto and Slevin (1988).

Effectiveness is about doing the right things, while efficiency is about doing them in the right way (Crawford & Bryce, 2003). If mainly operational risks are addressed, there is a danger of projects being managed efficiently, but to a lesser extent being effective, both for the project owner and for other stakeholders. Relating this to the risk categories regarding project objective levels, an operational risk will (usually) concern the project's efficiency, while strategic risks will often concern the project's effectiveness.

Projects may be categorized in numerous ways. Some studies on this—both theoretically and empirically—may be found in Archibald, 2005; Wysocki, Beck, and Crane, 1995; and Youker, 1999. For the studies done here, categorizations based on project size and technological uncertainty are utilized.

For projects where the use of technology is of importance, it is relevant to a) study the influence of this and b) see how this technology has influence on the management of the project. In a number of studies, Shenhar and Dvir et al. have established a categorization of projects regarding “technological uncertainty” of projects (Dvir, Lipovetsky, Shenhar, & Tishler, 1998, 2003; Shenhar & Dvir, 1996; Shenhar et al., 2001). Their project studies are based on the assumption of some typical correlations between their “technological project categories” and critical success categories. In our study, we will categorize the projects according to their level of technological uncertainty, and examine possible relation with risk management and other factors in the projects. We use the categories in accordance with Shenhar and Dvir (1996):

  • Low-tech projects—low technological uncertainty. Implements familiar technologies. Will rely on existing and well established base technologies.
  • Medium-tech projects—medium technological uncertainty. Such projects involve adaptation of familiar technologies. Will rest mainly on existing and mature technologies. May involve a limited amount of new technology, but not for critical elements in the project.
  • High-tech projects—high technological uncertainty. First use of new technologies. In such projects most of the technologies are new, but existent.
  • Super high-tech projects—super high technological uncertainty. Develops new technologies. Based primarily on new, and non-existent technologies at project initiation.

Research Questions

We will here do a longitudinal study of the risks that we have found in the seven projects studied. We compare the occurrence of different risk categories to the characteristics of the projects. The projects are grouped according to these categorizations: large, medium, and small, and hi-tech, medium-tech, and low-tech project. The risks are categorized in two different ways: both on an operational scale—short-term and long-term strategic—and whether the risks are identified as possible threats, opportunities, or both.

  1. Based on this categorization of risks and projects, we want to find out whether—within the groups, subgroups, and categories—we find any patterns regarding:

    • For opportunities and threats: any overall trends?

    • When (in the project's life cycle) are, on average, the risks registered?

    • After how long a time are, on average, the risks closed?

  2. How is the relative distribution of risks over time regarding the risk categories:

    • Operational/strategic

    • Opportunities/threats

  3. Can we identify any project characteristics that will explain observed differences between projects?


For this study, we chose a combined approach, using both qualitative and quantitative data collection methods (Creswell, 2003; Flyvbjerg, 2006). An introductory interview in each project gave a first insight into their differences and similarities. Data were collected from the risk registers of seven projects in the energy sector over a period of six months. The data collected covered a longer period of time, so for some of the projects we have used data from some two to three years. For one project it was limited to nine months.

For quality assurance, initial results from the study were shared in follow-up interviews with persons with insight in the projects. These follow-up interviews gave better insight into certain aspects that were brought to light through the data analysis. After the follow-up interviews, a summary of methodology used and preliminary results were presented to an expert panel from the companies for feedback and comments.

The main data source for this article has been the reports with data extracted from the project risk registers. This has been supplemented (to some extent) with information from the interviews.

For the study, all identified risks were categorized according to their possible impact to the project's—and the organization's—objective levels: operational, short-term strategic, or long-term strategic. A criteria set had been established, making it possible to categorize risks based on information in the risk register. These criteria are developed based on a study of the literature dealing with project objectives with long- and short-term perspectives.

There has also been made a categorization into opportunities and threats, also called positive and negative risks. Some risks could not easily be put into any of the categories, differing slightly between the opportunity/threat categorization and the strategic/operational one. Therefore, the total numbers for risks in the projects will differ slightly in the tables.

The Cases Studied

The study was performed in seven projects in organizations in the energy sector. The projects studied may all be characterized as engineering and construction projects, and they are all large projects (i.e., projects with total costs of 100 million Euro [€] or more). They were selected to represent a broad range of projects regarding size, project phase, and project culture.

The projects studied were in different project phases, varying from one that had not yet made all conceptual decisions to one that was close to takeover and start-up of production. The other ones were at different stages between these.

Regarding their organizational relations, most of the projects are quite complicated, both because ownership of the project results will be split, and because suppliers/contractors to the projects are many and diverse.


For the first research question, regarding when the risks are identified, the projects’ identification of risks as opportunities (“positive risks”) versus threats (“negative risks”) were examined. The results are given in Table 1.

Table 1: Distribution of identified risks, threat/opportunity categories

Distribution of identified risks, threat/opportunity categories

In the table, data are given for each project phase: Phase I, “Concept development,” Phase II, “Design,” and Phase III, “Detail design, construction, and test.” For each project, the first line gives the number of risk elements. The second line gives the percentage of the total of risks for that project.

The total numbers of risks that can be categorized as threats versus those that either can be categorized as opportunities or both threats and opportunities are 80% to 20%. There are quite large differences to this between the projects, where the projects may be grouped as shown in Table 2.

Table 2: Grouping of projects based on identification of opportunities/threats

  Group I Group II Group III
  “Most positive” “Middle layer” “Mostly threats”
Threats vs. (opport. + opport&threats) ~ 66% : 33% ~84% : 16% ~ 98% : 2%
Projects Project C, E and F Project A, Project B Project D, Project G

How the projects have identified risks in relation to the three risk categories—operational risks, short-term strategic risks, and long-term strategic risks, opportunities versus threats—is shown in a similar way in Table 3.

Table 3: Distribution of identified risks, strategic/operational categories

Distribution of identified risks, strategic/operational categories

The projects have been categorized regarding their size measured as total project costs, the cost categories shown in Table 4, which also shows the project distribution.

Table 4: Classification of projects by size

  Small Medium Large
Total project costs Projects 100M€ <costs <300M€ Project A, B and C 300M€ <costs <1.2B€ Project E, Project G more than 1.2 B€ Project D, Project F

The classification of projects regarding technological uncertainty (see end of Rationale section) is then applied to the projects. Results are shown in Table 5.

Table 5: Classification of project technology

  Low-tech medium-tech High-tech Super high-tech
Projects Project B, Project C Project F, Project G Project A, Project D, Project E  

Data for the study concerning the research question regarding closing time for risks have been calculated for each category for each project for each phase. Here we can only present the overall numbers shown in Tables 6–8. The averages presented in these tables are representative for the risks both when categorized from operational to longtime strategic and as threats/opportunities. More details may be obtained from the authors.

Table 6: Average closing times for risks, in months

  Phase I Phase II Phase III
Project A - 5 -
Project B - 9.5 5-6
Project C 16 16 7
Project D - 19 10
Project E 7.5 6 3
Project F - 22 12
Project G - 11 7

Table 7: Averages of standard deviations for risk closing times

  Phase I Phase II Phase III
Project A - 1 -
Project B - 8.4 3
Project C 5.5 5.5 4
Project D - 2.1 3.3
Project E 4.7 3 1
Project F - 4 6
Project G - 7 5.6

Table 8: Average percentage of risks closed

  Phase I Phase II Phase III
Project A - 18 -
Project B - 50 78
Project C 90-95 90-95 80
Project D - 77 26
Project E 80 37 20
Project F - 90 70-75
Project G - 72 55


Regarding identification of threats/opportunities

The proportion of identified opportunities versus threats drops toward the end of the construction and testing phase. Early phase figures are small, so they cannot yet support any strong conclusions. From phase II to phase III, the number of opportunities identified drops from 18% to 10%.

No patterns were found regarding opportunities/threats and the project categories based on size and technology.

Regarding identification of operational/strategic risks

The general picture is that the focus is increasingly on operational risks closer to delivery/customer acceptance. In phase I about 20% of the risks identified are strategic, while in phase III only some 3% are. However, in the middle phase some 25% of the risks are strategic. The projects with large numbers of risks identified are strong contributors to this.

No patterns were found for operational/strategic risks and the project categories based on size and technology.

Risk closing averages per project per phase, summarized in Tables 6–8

No significant differences between the categories “opportunity/threat” were found regarding average times, standard deviations, or percentage closed. Neither was it found for the operational/strategic categories.

Average closing time for risks

Whether risks are categorized as opportunity/threat or as operational/strategic, the change is about the same. The most significant changes are, for the projects C, D, and F, the closing time was approximately halved from one phase to the next. For other projects there are only less significant changes.

Percentage of the risks closed

Here projects differ largely, however an overall decrease toward the end of phase III is observed.

Using the defined “project categories” (project size and project technological uncertainty), searching for patterns in risk closing time and percentage closed

Regarding project size:

  • Smallest projects have short risk closing times
  • Largest projects have the longest closing times

Regarding project technological uncertainty:

  • “Low-tech” projects show medium risk closing time
  • “Medium-tech” projects show an average behavior
  • “High-tech” projects have no pattern for closing times. Overall percentages of closed figures are low.

The overall trends in the figures for risk closing times, standard deviation of the risk closing time, and percentage of risks closed are decreasing. This is as expected when the time horizon for the observations is so short compared to the average closing time for risks.

In particular for the risk categories regarding opportunity/threat, both for risk closing time and percentage closed, they are on average. (Regarding the risks categorized as strategic compared to those categorized as operational, this has been covered in Krane, Rolstadås, and Olsson (2009.)

Regarding variation over time within each project, we have not yet found any obvious relation to project technology classes, project size, or the risk categories. We continue looking for factors that may have stronger influence on this variation. We will in particular look closer into whether the variation depends more on project internal factors (as, for instance, reporting routines, risk workshops, etc.), and less on how risks evolve and occur.

For variations between projects, generally sources can be of two kinds: some depend on characteristics of that particular project, and some on the project's approach to risk management (e.g., priorities regarding searching for opportunities or strategic risks, or level of detail they have settled on for entering risks into the risk register).


In this paper, we wanted to study to what extent risk management included both threats and opportunities. In the seven projects in this study, more threats than opportunities have been identified. We have also observed from the detailed studies of the risk register that most of the projects obviously have made an effort to find opportunities. It would therefore not be correct to claim that the projects have had a focus on threats. Overall, far more operational risks than strategic were identified in the seven projects.

We aimed at studying when in the project's life cycle most risks (threats or opportunities) were registered. In the projects studied, fewer opportunities have been identified toward the end of the projects.

We wanted to find the relative distribution of risks over time for different risk categories. We find that in most of the projects, fewer strategic risks were identified toward the project end than in earlier phases of the projects.

Finally, we were in search of any project characteristics that could explain observed differences between projects. No relation has been found between the projects’ risks when categorized as opportunity/ threat or strategic/operational, and the project size or technological uncertainty. Neither has any pattern been found for opportunities or threats regarding risk closing time or the percentage closed.

There should be more studies done on:

• Identifying and investigating other project characteristics

• Other risk reduction strategies than closing risks (discussed briefly in Rationale section)

It is hoped that this will be possible to address in further papers based on the data used in this study.


We would like to express our great gratitude to all the contributors in the organizations involved in our study, who gave us access to their project data. Also thanks to the project management, who generously let us use their precious time during the study. And, not least, many thanks to the database experts who patiently listened to our requests and conscientiously supplied us with the data necessary to perform the study.

Archibald, R. D. (2005). The purposes and methods of practical project categorization. Paper presented at the International Project/Program Management Workshop 5. Retrieved March12, 2009 from

Atkinson, R. (1999). Project management: Cost, time and quality, two best guesses and a phenomenon, it's time to accept other success criteria. International Journal of Project Management, 17(6), 6.

Crawford, P., & Bryce, P. (2003). Project monitoring and evaluation: A method for enhancing the efficiency and effectiveness of aid project implementation. International Journal of Project Management, 21(5), 363-373.

Creswell, J. W. (2003). Research design: Qualitative, quantitative, and mixed methods approaches. Thousand Oaks, CA.: Sage Publications.

de Wit, A. (1988). Measurement of project success. International Journal of Project Management, 6(3), 164-170.

Dvir, D., Lipovetsky, S., Shenhar, A., & Tishler, A. (1998). In search of project classification: A non-universal approach to project success factors. Research Policy, 27(9), 915-935.

Dvir, D., Lipovetsky, S., Shenhar, J. A., & Tishler, J. A. (2003). What is really important for project success? A refined, multivariate, comprehensive analysis. International Journal of Management and Decision Making, 4(4), 23.

Flyvbjerg, B. (2006). Five misunderstandings about case-study research. Qualitative Inquiry, 12(2), 219-245.

Galbraith, J. R. (1977). Organization design. Reading, MA: Addison-Wesley.

Hillson, D. (2002). Extending the risk process to manage opportunities. International Journal of Project Management, 20(3), 235-240.

Hillson, D. (2004). Effective opportunity management for projects: Exploiting positive risk. New York: Marcel Dekker.

Jaafari, A. (2001). Management of risks, uncertainties and opportunities on projects: Time for a fundamental shift. International Journal of Project Management, 19(2), 89-101.

Krane, H. P., Rolstadås, A., & Olsson, N. O. E. (2009). Risk categorization—Basic concepts, and some lessons learned from studying real projects. Paper presented at the PMI EMEA Global Congress 2009.

Miller, R., & Lessard, D. (2001). Understanding and managing risks in large engineering projects. International Journal of Project Management, 19(8), 437-443.

Olsson, R. (2007). In search of opportunity management: Is the risk management process enough? International Journal of Project Management, 25(8), 745-752.

Pinto, K. J., & Slevin, P. D. (1988). Critical Success Factors Across the Project Life Cycle. Project Management Journal, 19(3), 67.

PMI. (2003). Organizational project management maturity model: OPM3 knowledge foundation. Newtown Square, PA: Project Management Institute.

PMI. (2004). A Guide to the project management body of knowledge: (PMBOK® guide) (2004 ed.). Newtown Square, PA: Project Management Institute.

Samset, K. (2003). Project evaluation: Making investments succeed. Trondheim: Tapir Academic Press.

Shenhar, A. J., & Dvir, D. (1996). Toward a typological theory of project management. Research Policy, 25(4), 607-632.

Shenhar, A. J., Dvir, D., Levy, O., & Maltz, A. C. (2001). Project success: A multidimensional strategic concept. Long Range Planning, 34(6), 699-725.

Wysocki, R. K., Beck, R., & Crane, D. B. (1995). Effective project management: How to plan, manage, and deliver projects on time and within budget. New York: Wiley.

Youker, R. (1999). The difference between different types of projects. Paper presented at the 30th annual Project Management Institute seminars and symposium, Philadelphia, USA.

This material has been reproduced with the permission of the copyright owner. Unauthorized reproduction of this material is strictly prohibited. For permission to reproduce this material, please contact PMI or any listed author.

© 2009, Hans Petter Krane
Originally published as a part of 2009 PMI Global Congress Proceedings – Amsterdam, Netherlands



Related Content

  • PM Network

    Playing with Fire

    By Jones, Tegan With the coastline of an entire continent burning, a scorched-earth urgency had teams across Australia racing to control the damage. Between September 2019 and January 2020, bushfires ravaged…

  • PM Network

    Trees of Life

    By Hendershot, Steve The world needs more trees—and a lot of them—to stem the damage wrought by mass deforestation. Brazil alone is destroying the equivalent of three football pitches per minute in the Amazon rainforest…

  • PM Network

    Rising Risks

    By Nilsson, Ryan For as long as humans have been building cities, they have migrated toward the coasts -- for food, ease of transportation and any number of ecological benefits. Today, it's estimated that more than…

  • PM Network

    From the Rubble

    By Thomas, Jennifer Puerto Rico's infrastructure woes began long ago. But a series of earthquakes this year coupled with hurricanes Irma and Maria in 2017—which racked upUS$139 billion in damage—exacerbated the U.S.…

  • PM Network

    Trading Transformed?

    Blockchain—the technology that made cryptocurrency mainstream—is now entering the U.S. stock market. In November, the U.S. Securities and Exchange Commission approved a pilot project to use…